Aruba Switch Basics

I am very new to Aruba Networks Switches. I would appriciate if I can get a basic level of support on the below.

I am configuring MODEL #S2500-24P-4X10G POE

Can we TELNET Aruba s2500 switch?

HOW CAN WE BLOCK SSH/TELNET ?

I have some basic questions for Authentication.

Question 1: Configuration> Authentication>Servers-- I have configured Internal Server with

User name: MAC Address of Machine

Password: MAC Address of Machine

Under Role: I can see the list below

1. authenticated

2.denyall

3.guest

4.guest-logon

5.logon

Can you breifly explain the use of each, What are the roles and each role application where we have to apply each.

Question 2: Configuration> Authentication>Profile

Under AAA Profiles the default profiles are below

1.default

2.default-dot1x

3.default-mac-auth

Can you breifly explain each and application where we have to apply them.

When I click on new button .

I gave the name for my AAA Profile "TEST"

VLAN Assignment Native "1".

Port Assignment any port belongs to Native VLAN.

Under Initial role what I have to select and why?

Under user role what I have to select and why?

How Initial role is different from User Role?

User User role What is derived VLAN?

Under Authentication Method I have below Feilds

Authentication method I have selected as MAC

------------ There are two selections

Select from a knows profile ? What is knows profile where we define it.

Specify a new profile?

Just for your information I am using inhouse testing. Wants to test different features for S2500 Currently I am looking for MAC based authentication.

Please elaborate. As I have to perfrom demo at different customer site, If you can also share demo script for switch which you guys are using to demonstrated the features and commissioning demo Script.

Re: Aruba Switch Basics

‎05-08-201304:48 AM - edited ‎05-08-201304:57 AM

Hi Muhammad,

SSH and telnet can be used.

To block access via SSH and telnet, you could create a netdestination with a list of all of the address that you want to be able to access the switch from. Then build a netdestination of all of the IP interfaces that are active on the switch. Then build an ACL that allows access to those address and blocks others. For example:

Question 1: The roles that you have listed are the default roles that are built into the switch. Roles can be used to give different access to different people. You can attached ACLs and VLAN assignments to a specific role.

You can see exactly what is configured for each role by running the command show rights <role name>

You could have IT administrators in the authenticated role with allowall access and then create a second role for end users which restricts access to certain things.

For question 2: The AAA profiles can be applied globally to the entire switch and also on a per-port or per-vlan basis. A big thing to remember is that AAA profiles are only used if the port is untrusted. This forces the device to go through some type of authentication process. If the port is trusted, then no authentication will happen.

The Initial Role is used for things like captive portals where the user will end up in a different role after layer 3 authentication. For layer 2 802.1x authentication (EAPOL), the initial role is not used but it is best to apply a denyall rule there.

User role would be the final data access role for the user.

If you are using the internal user database to store mac addresses for authentication, put the mac address as both the username and password.

For MAC Authentication Server Group, you can then use "default" which defaults to the internal user database for authentication.

For MAC authentication Default Role, you would specify the user role that you want MAC auth'ed users to be put into after successful authentication.